46c914d6719dbf9f865f499d3cce7ce204ed0f742e4de7d57e15f0bb104b3075

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 07:43

Target

ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe
Size

21KB
MD5

ea94418d36f12bfa4e89b1f42e4bea17
SHA1

80dd9033338460d4104db01c058adcb24d9257fe
SHA256

46c914d6719dbf9f865f499d3cce7ce204ed0f742e4de7d57e15f0bb104b3075
SHA512

2bfe06d9e643dd601bbd60757415bc2189abefc4a1b7bdf2080a76a49a95ebd0e242d500375205610d935dc668a1ac673a4f84761e0753916f77f1ca3cc2b53f
SSDEEP

384:yL2pWOS0atkRRATSI5B9i5nsSCHQW0ycxaaujT5BFZ49/15ViMi:stOGhGYin1yQW0ycxD6bFZME

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2232	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2292	WinHxol32.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe
2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHxol32.exe	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinHxol32.exe	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WinHxol32.exe	WinHxol32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2292	WinHxol32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2292	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2292	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2292	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2292	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2232	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	29
PID 2160 wrote to memory of 2232	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	29
PID 2160 wrote to memory of 2232	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	29
PID 2160 wrote to memory of 2232	2160	ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2508	2292	WinHxol32.exe	30
PID 2292 wrote to memory of 2508	2292	WinHxol32.exe	30
PID 2292 wrote to memory of 2508	2292	WinHxol32.exe	30
PID 2292 wrote to memory of 2508	2292	WinHxol32.exe	30

C:\Users\Admin\AppData\Local\Temp\ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea94418d36f12bfa4e89b1f42e4bea17_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\WinHxol32.exe
  "C:\Windows\system32\WinHxol32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHXO~1.EXE > nul
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EA9441~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2232

\Windows\SysWOW64\WinHxol32.exe

Filesize
21KB

MD5
ea94418d36f12bfa4e89b1f42e4bea17

SHA1
80dd9033338460d4104db01c058adcb24d9257fe

SHA256
46c914d6719dbf9f865f499d3cce7ce204ed0f742e4de7d57e15f0bb104b3075

SHA512
2bfe06d9e643dd601bbd60757415bc2189abefc4a1b7bdf2080a76a49a95ebd0e242d500375205610d935dc668a1ac673a4f84761e0753916f77f1ca3cc2b53f

Download Submit